Usernames and passwords are used to protect computer systems and can be used to authenticate a user. Use of a username and password to authenticate a user is a traditional single-factor security authentication mechanism. As an example, a user may want to view email that is stored on a server. The user sends a request to the server storing the email and the server storing the email responds by requesting a username and a password. If the user provides a valid username and password to the server, the server will provide the user access to the server and email. Single-factor authentication relies on diligence of a user to utilize a strong password and ensure that the password cannot be guessed or stolen. Unfortunately, passwords are easily compromised, and more complex authentication systems have been developed, such as multi-factor authentication.
Multi-factor authentication can be used in a variety of environments and in a variety of situations. As an example, a person attempting to withdraw funds from a bank account may have to provide two-factor authentication before making the withdrawal. The person may have to enter their personal identification number (PIN) associated with their ATM card as well as provide a one-time code that is sent to their mobile device via text message or email. This one-time code may only be valid for a certain time window, e.g. one hour.
Multi-authentication is a form of authentication requiring two or more authentication factors including knowledge factors, e.g., something that only the user knows, and possession factors, e.g., something only the user has. As an example, a knowledge factor can include a password or a PIN. A possession factor is similar to a key to a lock and can be a secret number. The secret number can be a one-time password, such a password that changes every sixty seconds and is generated using a random key, or a seed. The seed can be hard-coded into a security token, and is equivalent to a combination to a vault. The seed is different for each hardware security token and stored in a corresponding authentication server. An additional authentication factor can include an inherence factor, e.g., something only the user is. An inherence factor can include a fingerprint, a voiceprint, retinal scan, etc.
A security token, e.g., a hardware device or a software device, can be used in a two-factor authentication system as an electronic key to prove one's identity. A hardware security token can be a token with a display, such as a pocket-sized hardware token having a liquid crystal display (LCD) that displays a one-time password. The authentication server will know what number a particular hardware token should be showing, and uses this number to prove that a user is in possession of their token. The pocket-sized authentication token can be carried on a lanyard or attached to a key ring and carried in a pocket or a purse. The hardware security token also can be embedded in a cellular telephone, a smartcard that is inserted into a computer or detected via a proximity detector, or a universal serial bus (USB) token that is inserted into a computer. A software device can use a mobile device application to generate a one-time password.
Unfortunately, two-factor authentication methods also are not completely secure and have been compromised. In a well-documented event in 2011, hackers were able to reduce the effectiveness of a widely used proprietary two-factor authentication approach that uses a hardware security token. The hardware security token vendor was forced to replace forty million hardware tokens. Attackers had obtained seeds which were used by the hardware security tokens to generate one-time codes and used the seeds to exploit a defense contractor's virtual private network (VPN) access system. Because this authentication approach was so widely used and engrained in network hardware and software, it has been difficult to transition to using other authentication approaches. From a security perspective, it is important to transition away from authentication methods that have been compromised. This transition has proven expensive and presents companies and organizations with a difficult operational and logistical challenge.
Furthermore, many forms of authentication are inflexible, particularly with respect to network elements connected to a communications network. For instance, a Terminal Access Controller Access-Control System (TACACS) authentication server either accepts or denies an authentication request and either allows or denies access. Typically, a user sending a request to a TACACS server is granted full access to a network element connected to a communications network or granted no access to a network element connected to a communications network. This form of all or nothing access control is not appropriate for certain situations.
It is with these issues in mind, among others, that various aspects of the disclosure were conceived.